RE: [ws-sx] Issue 55: Clarification on RequireDerivedKeys and X509Token under AsymmetricBinding

["Marc Goodner" <mgoodner@microsoft.com>]

I have not seen any further discussion of this. It sounds like the spec
is clear on how to interpret this. I suggest we close this issue with no
action. 

Marc Goodner
Technical Diplomat
Microsoft Corporation
Tel: (425) 703-1903
Blog: http://spaces.msn.com/mrgoodner/ 


-----Original Message-----
From: Martin Gudgin [mailto:mgudgin@microsoft.com] 
Sent: Tuesday, May 16, 2006 9:49 PM
To: K.Venugopal@Sun.COM; Paul Cotton
Cc: ws-sx@lists.oasis-open.org
Subject: RE: [ws-sx] Issue 55: Clarification on RequireDerivedKeys and
X509Token under AsymmetricBinding

I've now had chance to spend some time looking at this. Given the policy
below I would expect the following;

1.	the request message would be signed with the initiator's private
key and encrypted with a key derived from a symmetric key that is
encrypted with the recipient's public key. 
2.	the response message would be signed with the recipient's
private key and encrypted with a key derived from a symmetric key that
is encrypted with the initiator's public key.

In both cases how the key is derived will be specified in the
wsc:DerivedKeyToken in the message.

Cheers

Gudge

> -----Original Message-----
> From: K.Venugopal@Sun.COM [mailto:K.Venugopal@Sun.COM]
> Sent: 11 April 2006 10:42
> To: Paul Cotton
> Cc: ws-sx@lists.oasis-open.org
> Subject: Re: [ws-sx] Issue 55: Clarification on RequireDerivedKeys and

> X509Token under AsymmetricBinding
> 
> Hi Paul,
> 
> Sorry for the delayed response , please see inline
> 
> Paul Cotton wrote:
> > From today's F2F draft minutes:
> >
> > ===
> > i055   Clarification on RequireDerivedKeys and X509Token under 
> > AsymmetricBinding   
> > http://lists.oasis-open.org/archives/ws-sx/200603/msg00121.html
> >
> > The TC discussed this issue but it was not clear what use
> the case that
> > K. Venugopal was discussing.  The TC would like him to
> better explain
> > his use case so that we can understand the issue.
> > ==
> >
> > Please clarify your use case and/or restate your questions
> since the TC
> > does not yet understand your questions.
> >
> >   
> <deleted/>
> In context  to my previous mail let me know if this helps.
> 
> If I have a policy like shown below , I  would like to know how the 
> message is secured. How are the keys derived.
> 
> <sp:AsymmetricBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
>     <wsp:Policy>
>         <sp:InitiatorToken>
>             <wsp:Policy>
>                 <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securit
> ypolicy/IncludeToken/AlwaysToRecipient">
>                     <wsp:Policy>
>                         <sp:WssX509V3Token10 />
>                         <sp:RequireDerivedKeys/>
>                     </wsp:Policy>
>                 </sp:X509Token>
>             </wsp:Policy>
>         </sp:InitiatorToken>
> 
>         <sp:RecipientToken>
>             <wsp:Policy>
>                 <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securit
> ypolicy/IncludeToken/Never">
>                     <wsp:Policy>
>                         <sp:WssX509V3Token10 />
>                         <sp:RequireDerivedKeys/>
>                     </wsp:Policy>
>                 </sp:X509Token>
>             </wsp:Policy>
>         </sp:RecipientToken>
> 
>         <sp:AlgorithmSuite>
>             <wsp:Policy>
>                 <sp:Basic256 />
>             </wsp:Policy>
>         </sp:AlgorithmSuite>
> 
>         <sp:Layout>
>             <wsp:Policy>
>                 <sp:Lax />
>             </wsp:Policy>
>         </sp:Layout>
> 
>         <sp:IncludeTimestamp />
> 
>         <sp:OnlySignEntireHeadersAndBody />
>     </wsp:Policy>
> </sp:AsymmetricBinding>
> 
> Thank You,
> Venu
>